Ghostfolio and OAuth (Authentik/Authelia)

[lmaced0]

Does Ghostfolio support SSO through OAuth or SAML? Ghostfolio has a very specific login interface where users need to memorize a token to login... I already have Authentik setup for all the services I run in my lab, wondering if anyone has done this already.

[0xFEEDC0DE64]

Lets patch ghostfolio to accept the token as custom header provided by the reverse proxy which gets it from a custom property mapping in authentik, which extracts it from the users attributes using python

[dtslvr]

Hi there,

Ghostfolio uses Passport.js for authentication.

Could integrating the passport-oauth2 strategy help with your use case? Would you be able to work on this integration?

Let us know if you would like to explore this.

[0xFEEDC0DE64]

yes, looks good to me. is this something that could be done quickly or should I try to patch the docker image using entrypoint: 'sed .... && original-ghostfolio-cmd'

[dtslvr]

I believe a robust integration without any shortcuts is crucial for authentication and security.

[0xFEEDC0DE64]

can you provide such a feature in the official ghostfolio distributions?

[dtslvr]

While our development is currently focused on other core areas, we are happy to assist with a community contribution for this feature.

[gmag11]

Hi. @dtslvr, I've done an implementation of OIDC and tested with Authentik in my setup. Maybe there are some architectural decisions that you would change and some style issues but it works in all tests that I've done. If you like I can do a PR so that you can have a look and give me some guidelines to adapt this.

It would need to be tested in different setups with Authelia and some other authentication gateways. I've not tested together with Google auth neither.

[Vpatrik]

I did configure all parameters.
I can later try if it works with the required ones only.

[Loigzorn]

Can confirm the implementation of OIDC works like a charm, thank you @gmag11 for the work on the feature.
I use Authentik as my auth provider.
At first I overlooked the requirement of the ROOT_URL environment variable, resulting in a faulty request url.
After I set the ROOT_URL, I could login using the auth provider.
I only had to set the required environment variables, all optional variables have stayed untouched.

This is not that much new news, but I only have Authentik running in my environment.

[Vpatrik]

I tested using only the required options for Authelia now and it works

[zhuqf]

@Vpatrik can you share the example of Authelia setting? my sertup shows " (method GET) is not authorized to user , responding with status code 401", do not kow which setting is missing

[Vpatrik]

Here's the redacted settings:

      - client_id: SECRET_ID
        client_name: "Ghostfolio"
        client_secret: SECRET
        public: false
        authorization_policy: "two_factor"
        scopes:
          - openid
          - profile
          - groups
          - email
        redirect_uris:
          - "https://portfolio.MYDOMAIN/api/auth/oidc/callback"
        userinfo_signed_response_alg: "none"
        token_endpoint_auth_method: "client_secret_post"

[RogerSik]

I would like to enable oauth with authentik. Where do I see how the env vars are named so i can confire it?

[dtslvr]

All environment variables are listed in the OpenID Connect section of the README.md file.

[lmaced0]

Hey @gmag11! Thanks for the nice work on this.
Trying to get this set up with Authentik and when clicking on the Sign in with OIDC button I’m redirected to this Ghostfolio page saying:

{"message":"Unauthorized","statusCode":401}

Any ideas what might be causing this? I don’t see anything specific in the logs. The URL is: $ROOT_URL/api/auth/oidc/callback?code=xxxxxx&state=xxxxxxx

[gmag11]

Hi, you just need to fill:

• ROOT_URL to your external ghostfolio URL
• ENABLE_FEATURE_AUTH_OIDC=true
• OIDC_CLIENT_ID from Authentik ghostfolio provider
• OIDC_CLIENT_SECRET from Authentik ghostfolio provider
• OIDC_ISSUER from Authentik ghostfolio provider

There is no need to configure OIDC_CALLBACK_URL or other OIDC settings.

Ensure that REDIRECT_URI in Authentik is set to https://<your_ghostfolio>/api/auth/oidc/callback

If you leave REDIRECT_URI empty in Authentik it will accept and configure first uri that it gets.

Hope it helps.

[lmaced0]

There was a typo on OIDC_ISSUER. It was missing the / at the end. I assumed it was appending /.well-known/openid-configuration at the end of the URL.

All good now. It's working.

[flowcool]

Hello Team,

I just implemented this (so happy and even more when we'll have the possibility to link existing account to it).

So in env, I added:

      ROOT_URL: "https://ghost.myrealdomain.com"
      ENABLE_FEATURE_AUTH_OIDC: true
      OIDC_CLIENT_ID: ghost
      OIDC_CLIENT_SECRET: "XXXXXXXXXXXXXXXXXX"
      OIDC_ISSUER: "https://auth.myrealdomain.com/.well-known/openid-configuration"

But in logs, I had this:

2026-01-21T11:31:43.125792102Z [Nest] 7  - 01/21/2026, 11:31:43 AM   ERROR [OidcStrategy] SyntaxError: Unexpected token 'E', "Error 404:"... is not valid JSON
2026-01-21T11:31:43.125838350Z     at JSON.parse (<anonymous>)
2026-01-21T11:31:43.125844452Z     at parseJSONFromBytes (node:internal/deps/undici/undici:5852:19)
2026-01-21T11:31:43.125848916Z     at successSteps (node:internal/deps/undici/undici:5833:27)
2026-01-21T11:31:43.125854685Z     at fullyReadBody (node:internal/deps/undici/undici:4725:9)
2026-01-21T11:31:43.125858487Z     at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
2026-01-21T11:31:43.125862300Z     at async consumeBody (node:internal/deps/undici/undici:5842:7)
2026-01-21T11:31:43.125865984Z     at async InstanceWrapper.useFactory [as metatype] (/ghostfolio/apps/api/main.js:1:818878)
2026-01-21T11:31:43.125870359Z     at async Injector.instantiateClass (/ghostfolio/apps/api/node_modules/@nestjs/core/injector/injector.js:424:37)
2026-01-21T11:31:43.125874818Z     at async callback (/ghostfolio/apps/api/node_modules/@nestjs/core/injector/injector.js:70:34)
2026-01-21T11:31:43.125879053Z     at async Injector.resolveConstructorParams (/ghostfolio/apps/api/node_modules/@nestjs/core/injector/injector.js:170:24)
2026-01-21T11:31:43.126440977Z [Nest] 7  - 01/21/2026, 11:31:43 AM   ERROR [ExceptionHandler] Error: Failed to fetch OIDC configuration from issuer
2026-01-21T11:31:43.126454055Z     at InstanceWrapper.useFactory [as metatype] (/ghostfolio/apps/api/main.js:1:819018)
2026-01-21T11:31:43.126486368Z     at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
2026-01-21T11:31:43.126490385Z     at async Injector.instantiateClass (/ghostfolio/apps/api/node_modules/@nestjs/core/injector/injector.js:424:37)
2026-01-21T11:31:43.126493762Z     at async callback (/ghostfolio/apps/api/node_modules/@nestjs/core/injector/injector.js:70:34)
2026-01-21T11:31:43.126496732Z     at async Injector.resolveConstructorParams (/ghostfolio/apps/api/node_modules/@nestjs/core/injector/injector.js:170:24)
2026-01-21T11:31:43.126499651Z     at async Injector.loadInstance (/ghostfolio/apps/api/node_modules/@nestjs/core/injector/injector.js:75:13)
2026-01-21T11:31:43.126502512Z     at async Injector.loadProvider (/ghostfolio/apps/api/node_modules/@nestjs/core/injector/injector.js:103:9)
2026-01-21T11:31:43.126505308Z     at async /ghostfolio/apps/api/node_modules/@nestjs/core/injector/instance-loader.js:56:13
2026-01-21T11:31:43.126508099Z     at async Promise.all (index 9)
2026-01-21T11:31:43.126510437Z     at async InstanceLoader.createInstancesOfProviders (/ghostfolio/apps/api/node_modules/@nestjs/core/injector/instance-loader.js:55:9)

doing a curl from ghostfolio to https://auth.myrealdomain.com/.well-known/openid-configuration
is working perfectly...

So I insisted and added:

      OIDC_AUTHORIZATION_URL: "https://auth.myrealdomain.com/api/oidc/authorization"
      OIDC_TOKEN_URL: "https://auth.myrealdomain.com/api/oidc/token"
      OIDC_USER_INFO_URL: "https://auth.myrealdomain.com/api/oidc/userinfo"

And container started to boot !

but then I have a 401 while tryring to play... I'll try to debug tonight

[gmag11]

Notice that issuer must end with a "/": https://auth.domain.com/application/o/ghostfolio/ <-- You have used configuration url instead issuer url.

[flowcool]

Thank your for your answer; I tried that too:
OIDC_ISSUER: "https://auth.myrealdomain.com/.well-known/openid-configuration/"

But same jumping into 401 (i'm using authelia BTW and config like that is working quick well elsewhere); I'm puzzle to not see any error in logs anywhere (ghostfolio, authelia or traefik)

[jdelker]

I'm exactly on the same page here.
After authenticating on the IDP (Keycloak in this case), the user gets redirected back to ghostfolio (URL: /api/auth/oidc/callback?state=...).
Unfortunately, the service responds with "401 Unauthorized" to that request.

I didn't manage to get any log output for that.
Could someone please advise for more troubleshooting...?

[zhuqf]

did you try

OIDC_ISSUER: "https://auth.myrealdomain.com"

my setup works after I remove last / and only keep the domain name

[jdelker]

Indeed it does work that way!
From previous posts I got the impression, that I'm actually missing the last / slash, but obviously it's the other way around.
Thanks for the hint.

[Str1atum]

Just installed Ghostfolio with Authelia identification, so far everything works fine.
But when I change the language to something else than English and logout, the language switches back to. English on the next login. It saved in the database correctly even after logout, but is changed to "English" on login.